Comments (7)
hueniverse
commented on June 7, 2024
Requiring the entire payload to be loaded and parsed before authentication is a non-starter. It is poor server design. For example, in node, many times you just want to pipe an incoming request, like saving an uploaded file to disk. Once saved, you can calculate the payload hash and validate it. But you don't want to save the file first, before authenticating the request. This is a real-world example.
The only way to address it is to decouple (or at least make it optional) validating the integrity of the transmitted hash from validating the hash value against the payload. In the first we just make sure that the hash value wasn't tempered with. In the second we confirm it matches the payload.
Payload protection is hard. This is just half the story. The other is encoding of Unicode text which is going to cause paid in many implementation on the browser where the JS encoding isn't utf8 but node's default buffer to string encoding is.
Hawk isn't magic. You need to think about how to apply it. Payload protection is one example. Nonce verification is another. Both are tools provided to you by the protocol but you still need to know what you are doing to use it well.
from hawk.
mcdee
commented on June 7, 2024
All this is fine, but in that case it needs to be made clear when payload verification is something that happens post-process, because making it through the Hawk authentication layer says nothing about the contents of the payload regardless of whether payload verification is turned on or off in the server.
from hawk.
hueniverse
commented on June 7, 2024
Made clear to who?
from hawk.
mcdee
commented on June 7, 2024
First off to those who are looking to implement the protocol in their servers, so that would fall in to the existing README. I'd also put something in the same area that anyone who is implementing this in their servers needs to ensure that their users are clear as to the specifics of what is being authenticated when so that there are no mistakes made.
For my part, I haven't thought it through yet but suspect that I'll add options in to the Java implementation so that the server can be configured to carry out payload verification (by reading in the body as part of the authentication process) for everything or with exclusions based on MIME type and/or content size.
from hawk.
hueniverse
commented on June 7, 2024
Can you suggest language for the readme? Maybe we should start an 'implementation notes' section with advice from other authors?
from hawk.
mcdee
commented on June 7, 2024
Sent a pull request for the readme.
Would certainly make sense to add an implementation notes section, and happy to contribute to it.
from hawk.
lock
commented on June 7, 2024
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from hawk.
Related Issues (20)
- Action required: Greenkeeper could not be activated 🚨 HOT 1
- Update deps HOT 1
- Rust Implementation HOT 3
- No Changelog HOT 4
- Only node 12
- Drop hapi 17
- Add TypeScript typings HOT 1
- Import changes made at hapi HOT 5
- Update mozilla/hawk to Mozilla repo standards HOT 1
- Decide future of hapi hawk plugin HOT 2
- Set up CI HOT 4
- Support webpack'ing hawk HOT 1
- Support use of this library in frontend code HOT 9
- Travis CI free usage ends Dec 3; mozilla repos should switch to other CI platforms HOT 1
- Using hawk in Angular app for absence.io
- Examples in API.md are broken
- Porting test framework HOT 2
- The incoming hash of the payload is being trusted and not verified HOT 15
- types.js:8 Uncaught ReferenceError: Buffer is not defined HOT 1
- calculateMac() should not be deprecated and split into two different versions HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hawk.